Vendor description:-------------------"LimeSurvey is the tool to use for your online surveys. Whether you areconducting simple questionnaires with just a couple of questions or advancedassessments with conditionals and quota management, LimeSurvey has got youcovered. LimeSurvey is 100% open source and will always be transparently developed.We can help you reach your goals."

Source: https://www.limesurvey.org/

Business recommendation:------------------------LimeSurvey suffered from a vulnerability due to improper inputand output validation. By exploiting this vulnerability an attacker could: 1. Attack other users of the web application with JavaScript code, browser exploits or Trojan horses, or 2. perform unauthorized actions in the name of another logged-in user.

The vendor provides a patch which should be installed immediately.Furthermore, a thorough security analysis is highly recommended as only ashort spot check has been performed and additional issues are to be expected.

Vulnerability overview/description:-----------------------------------1) Stored and reflected XSS vulnerabilitiesLimeSurvey suffers from a stored and reflected cross-site scripting vulnerability,which allows an attacker to execute JavaScript code with the permissions of the victim.In this way it is possible to escalate privileges from a low-privileged account e.g.to "SuperAdmin".

Proof of concept:-----------------1) Stored and reflected XSS vulnerabilitiesExample 1 - Stored XSS (CVE-2019-16172):The attacker needs the appropriate permissions in order to create new survey groups.Then create a survey group with a JavaScript payload in the title, for example:

test<svg/onload=alert(document.cookie)>

When the survey group is being deleted, e.g. by an administrative user, the JavaScriptcode will be executed as part of the "success" message.

If the URL schema is configured differently the following payload works:http://$host/index.php?r=admin/survey&mandatory=1&sid=xxx&surveyid=xxx"><img%20src=x%20onerror="alert(document.cookie)">&sa=listquestions&sort=question

Vulnerable / tested versions:-----------------------------The vulnerabilities have been verified to exist in version 3.17.9 and the latestversion 3.17.13. It is assumed that older versions are affected as well.

About SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. Itensures the continued knowledge gain of SEC Consult in the field of networkand application security to stay ahead of the attacker. The SEC ConsultVulnerability Lab supports high-quality penetration testing and the evaluationof new offensive and defensive technologies for our customers. Hence ourcustomers obtain the most current information about vulnerabilities and validrecommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://www.sec-consult.com/en/contact/index.html~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~